Re: web documentation
I'll throw in one web server too. Today I found the thttpd server written by Jef Poskanzer. I haven't tried it, only unpacked it and looked around a bit. The url is http://www.acme.com/software/thttpd/ and here's the head of the README file from the source distribution: thttpd - tiny/turbo/throttling HTTP server version 1.90a of 15nov96 thttpd is a simple, small, portable, fast, and secure HTTP server. // Heikki -- Heikki Vatiainen * [EMAIL PROTECTED] Tampere University of Technology * Tampere, Finland -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: web documentation
On Wed, 11 Jun 1997, Nathan E Norman wrote: > On Tue, 10 Jun 1997, Jim Pick wrote: > > : > :> Hmm. You want to have people run a web browser as root and run cgi > :> scripts with root privilage. Please don't make this a default. I > :> can't think of any way to make this secure. It would be better > :> to hack together some kind of front end, or hack lynx into some > :> kind of dedicated engine. The possibilities for accidents are > :> too great if you run the scripts directly from lynx. > : > :That's true - but any time you allow logins into a system, you risk > :making it insecure. Debian provides all sorts of ways to log in to > :a system "by default" - but it is easy to turn them all off. > : > :It might be useful to use a specialized web server that is not > :very configurable, but has an extra emphasis on security. This > :could run on a non-standard port from /etc/inetd.conf, so it > :wouldn't conflict with a web server on the same system which > :was intended for normal uses. You may want to consider the WN http server. It has extensive security features. By default, it serves no pages. It is also small and efficient. There is a daemon that can be run from inetd. -- Jean Pierre -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: web documentation
On Tue, 10 Jun 1997, Jim Pick wrote: : :> Hmm. You want to have people run a web browser as root and run cgi :> scripts with root privilage. Please don't make this a default. I :> can't think of any way to make this secure. It would be better :> to hack together some kind of front end, or hack lynx into some :> kind of dedicated engine. The possibilities for accidents are :> too great if you run the scripts directly from lynx. : :That's true - but any time you allow logins into a system, you risk :making it insecure. Debian provides all sorts of ways to log in to :a system "by default" - but it is easy to turn them all off. : :Current web servers like Apache and Roxen are extremely configurable, :which makes them really easy to misconfigure. So I don't think :allowing this type of access using them is a wise move. : :It might be useful to use a specialized web server that is not :very configurable, but has an extra emphasis on security. This :could run on a non-standard port from /etc/inetd.conf, so it :wouldn't conflict with a web server on the same system which :was intended for normal uses. This is essentially what the BSDI folks have done with their configuration product, called Maxim. It seems to work ok, but since I'm more comfortable at the command line, I turned it off. Now, BSDI is not necessarily the pinnacle of configurability, but they've had Maxim since 2.1 at least ... the concept seems to be working well for them. I personally would like to see an install program that defaults to newbie behaviour unless a flag is specified or one of the first choices is "expert mode", so that so-called experts don't have to fight through helpful menus and the like. (Some of us are stubborn). My 2 cents. -- Nathan Norman:Hostmaster CFNI:[EMAIL PROTECTED] finger [EMAIL PROTECTED] for PGP public key and other stuff Key fingerprint = CE 03 10 AF 32 81 18 58 9D 32 C2 AB 93 6D C4 72 -- -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: web documentation
On Jun 10, Paul Wade wrote > On Tue, 10 Jun 1997, Bruce Perens wrote: > > > From: Paul Wade <[EMAIL PROTECTED]> > > > The apache/dwww/lynx combo doesn't need X. > > > > Try using "boa" instead of apache. It's _much_ smaller, and faster > > than apache. However, "lynx" itself can execute CGI scripts, and doesn't > > really need a server to run "dwww". > > I'll give boa a try. Will it mess up anything on a system that has apache > installed? I actually just did this yesterday, and I highly recommend it! The only thing you ought to watch out for is that unless Apache is dead before you upgrage, boa won't start. I was running it from inetd anyway, so it was a little more complicated, but you can probably just remove apache before starting boa and it'll all be fine. Either that, or just run /etc/init.d/boa start once you've removed apache. &E -- Andy Mortimer, [EMAIL PROTECTED] http://www.poboxes.com/andy.mortimer PGP public key available on key servers -- She talked about the armies that marched inside her head, And how they made her dreams go bad. But oh how happy she was, How proud she was, to be fighting in the war. In the empty world. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: web documentation
>> Hmm. You want to have people run a web browser as root and run cgi >> scripts with root privilage. Please don't make this a default. I >> can't think of any way to make this secure. It would be better I think they said that lynx can run CGI's without a webserver... *if* that is true then there is no (additional) security risk. Just put all the CGI's into the /var/admin directory and only allow root to read/execute stuff from it. >It might be useful to use a specialized web server that is not >very configurable, but has an extra emphasis on security. This >could run on a non-standard port from /etc/inetd.conf, so it >wouldn't conflict with a web server on the same system which >was intended for normal uses. If it was run from inetd then it could also be configured to deny non-local connections in host.deny by default. >I like the idea. :-) Hmmm, me too. Adam. -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: web documentation
> Hmm. You want to have people run a web browser as root and run cgi > scripts with root privilage. Please don't make this a default. I > can't think of any way to make this secure. It would be better > to hack together some kind of front end, or hack lynx into some > kind of dedicated engine. The possibilities for accidents are > too great if you run the scripts directly from lynx. That's true - but any time you allow logins into a system, you risk making it insecure. Debian provides all sorts of ways to log in to a system "by default" - but it is easy to turn them all off. Current web servers like Apache and Roxen are extremely configurable, which makes them really easy to misconfigure. So I don't think allowing this type of access using them is a wise move. It might be useful to use a specialized web server that is not very configurable, but has an extra emphasis on security. This could run on a non-standard port from /etc/inetd.conf, so it wouldn't conflict with a web server on the same system which was intended for normal uses. I like the idea. :-) Cheers, - Jim pgplSafFHXHaE.pgp Description: PGP signature
Re: web documentation
Quoting Paul Wade ([EMAIL PROTECTED]): > I will also investigate the use of lynx directly with CGI. I hope that you > are hinting at something I need: If I run lynx as root and execute an > 'adduser' CGI script that cannot be executed by others, then I will start > writing a whole buncha sysadmin CGI. Hmm. You want to have people run a web browser as root and run cgi scripts with root privilage. Please don't make this a default. I can't think of any way to make this secure. It would be better to hack together some kind of front end, or hack lynx into some kind of dedicated engine. The possibilities for accidents are too great if you run the scripts directly from lynx. -- ___ _ / \ / ___/ Michael Stone, Sysadmin, ITRI / / / /_\__\ [EMAIL PROTECTED] /__/__/__/// PGP: finger or email with "Subject: get pgp key" -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: web documentation
On Tue, 10 Jun 1997, Bruce Perens wrote: > From: Paul Wade <[EMAIL PROTECTED]> > > The apache/dwww/lynx combo doesn't need X. > > Try using "boa" instead of apache. It's _much_ smaller, and faster > than apache. However, "lynx" itself can execute CGI scripts, and doesn't > really need a server to run "dwww". I'll give boa a try. Will it mess up anything on a system that has apache installed? I will also investigate the use of lynx directly with CGI. I hope that you are hinting at something I need: If I run lynx as root and execute an 'adduser' CGI script that cannot be executed by others, then I will start writing a whole buncha sysadmin CGI. > > Whereever it is safe to do so, this could be expanded on. A good example > > is the CGI/perl scripts for common commands like 'who'. Why not start a > > collection of these so the user can get some system information using the > > same interface? > > Sure. Want to work on that? Since I did a lot of work which was rendered obsolete by the features of dwww, it would be a good idea to apply my experience to something like this. We could call it 'cute CGI/perl tricks' or we could fit it into the dwww scheme :-) I will start gathering them up. +--+ + Paul Wade Greenbush Technologies Corporation + + mailto:[EMAIL PROTECTED] http://www.greenbush.com/ + +--+ + http://www.greenbush.com/cds.html Special Linux CD offer + +--+ -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
web documentation
From: Paul Wade <[EMAIL PROTECTED]> > The apache/dwww/lynx combo doesn't need X. Try using "boa" instead of apache. It's _much_ smaller, and faster than apache. However, "lynx" itself can execute CGI scripts, and doesn't really need a server to run "dwww". > Whereever it is safe to do so, this could be expanded on. A good example > is the CGI/perl scripts for common commands like 'who'. Why not start a > collection of these so the user can get some system information using the > same interface? Sure. Want to work on that? Thanks Bruce -- Bruce Perens K6BP [EMAIL PROTECTED] 510-215-3502 Finger [EMAIL PROTECTED] for PGP public key. PGP fingerprint = 88 6A 15 D0 65 D4 A3 A6 1F 89 6A 76 95 24 87 B3 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .